Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user: XSS, CSRF, clickjacking and related issues are common problems that most developers learn about – often the hard way! Luckily, new security mechanisms available in web browsers in 2019 offer exciting features which allow developers to protect their applications. In this talk, we’ll introduce these features and explain how to most effectively use them.
We’ll start by reviewing major threats based on an analysis of thousands of vulnerability reports Google receives each year under our Vulnerability Reward Program. We will find common themes between bugs which appear unrelated and focus our attention on the most frequent high-risk problems.
We’ll then turn our attention to protective mechanisms implemented in modern browsers, which address entire classes of security problems. This includes CSP3 and Trusted Types to prevent XSS, Fetch Metadata Request Headers to protect from CSRF, and CORP/COOP to mitigate the threat of Spectre. For CSP and Metadata Request headers we’ll provide reference implementations for Python.
By the end, you will have a good understanding of common threats and a TODO for enabling protections in your application.